Heap-buffer-overflow (OSS-Fuzz issue 585) #452
Description
Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=5009340075343872
Project: json
Fuzzer: libFuzzer_json_parse_afl_fuzzer
Fuzz target binary: parse_afl_fuzzer
Job Type: libfuzzer_asan_json
Platform Id: linux
Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x6020000000b7
Crash State:
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
bool nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_strin
bool nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_strin
Sanitizer: address (ASAN)
Recommended Security Severity: Medium
Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_asan_json&range=201702132129:201702140531
Reproducer Testcase: https://clusterfuzz-external.appspot.com/download/AMIfv97mm1JZ4V5k5VCl5P6E-ceJRwUXfsTrq4rlo9BIjo21iQKC195ix4UzRVSlS5NdE_d2mmLbqFB3kJw2nXzOxlNVi6d1s76lCZXC5I0n66KdH7a_lG_lxxBEB4Q_0bSXt9E6XKIstsm5R2om6cpc1OmVjAQ4j75qGxUILIki2AKyK2mVjoma5KsaVg5jG-QKXsyr8fZl3z0l1ccuc0na1dhUTUhdVwAf4VwBxbvEFYtgAKcqtU_LA22GE7DmfiGWXjbvsaxyyf_1BH7oe2fc94qkMwBvJqjh9-VV80Ma4YZRZ3hwohfhJfYN23ijQ0K_Ra6Z-37IE1eb_rri9IndPpkrTS6HUJKeVNsB3UxBCMfCq0uXQy0-Osh3J9PrX_kqrESs4mIxO6Us-YDeLsP5OzppvbaJZ2x6CSnNqfO7geUeYG7PP9o?testcase_id=5009340075343872
Issue filed automatically.
See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.
Input: -012274
READ of size 8 at 0x6020000000b7 thread T0
SCARINESS: 23 (8-byte-read-heap-buffer-overflow)
#0 0x449a13 in StrtolFixAndCheck(void*, char const*, char**, char*, int) /src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:2940
#1 0x449f41 in strtoll _asan_rtl_
#2 0x5c0beb in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::strtonum::parse_integral(char**, std::__1::integral_constant<bool, true>) const /src/json/src/json.hpp:11048:24
#3 0x5c07d1 in bool nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::strtonum::parse<long>(long&, std::__1::integral_constant<bool, true>) const /src/json/src/json.hpp:11061:32
#4 0x5bfd58 in bool nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::strtonum::to<long, void>(long&) const /src/json/src/json.hpp:10953:24
#5 0x5a716e in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::get_number(nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>&, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::token_type) const /src/json/src/json.hpp:11125:39
#6 0x5954cf in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse_internal(bool) /src/json/src/json.hpp:11409:45
#7 0x59216d in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse() /src/json/src/json.hpp:11221:33
#8 0x584c36 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer> nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parse<unsigned char const*, 0>(unsigned char const*, unsigned char const*, std::__1::function<bool (int, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parse_event_t, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>&)>) /src/json/src/json.hpp:6479:40
#9 0x582c7d in LLVMFuzzerTestOneInput /src/json/test/src/fuzzer-parse_json.cpp:34:19
#10 0x53593e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:550:13
#11 0x536188 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:501:3
#12 0x513658 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:268:6
#13 0x518b1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:517:9
#14 0x512cc8 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#15 0x7f5acb09c82f in __libc_start_main